What is two-factor authentication (2FA)?

May 2, 2019March 4, 2020

“It is a method of confirming users’ claimed identities by using a combination of two different factors”.

Two-factor authentication, commonly abbreviated to 2FA or referred to as multi-factor or two-step verification, is the process of verifying someone’s identity with two out of three possible identifiers:

Something you knowSomething you haveSomething you are

Colloquially, what many people mean when they say “two-factor authentication,” or 2FA, is when a website asks you to type in a code after you’ve already entered your password.Two-factor authentication adds a layer of security to the authentication process therefore making it harder for someone to gain access to online accounts, because knowing the victim’s password alone is not enough.

Traditional online authentication has relied on something you know, a password. There are several problems with this approach:

A password is a secret that you must share with the organization identifying you. More often than not you have no way to verify that your password has been transmitted or stored safely.Anyone observing you, whether they’re using a keylogger or just standing behind you, can obtain your secret.We are bad at memorizing strong passphrases, which leads people to reuse passwords and choose passwords that aren’t complex enough.By requiring an additional factor, such as secret code taken from an RSA token or sent by SMS to your phone, we can dramatically reduce the risk of being impersonated.

~ Taken from “The power of two – All you need to know about two-factor authentication” by Chester Wisniewski for Naked Security by Sophos & “Two-factor authentication (2FA): why you should care” by Maria Varmazis for Naked Security by Sophos